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DETAILED ACTION 

1 . This office action is in response to Applicant's amendment filed on December 27, 2007. 
Claim 1 has been amended. Claims 1-17 are pending. 

Response to Arguments 

2. Applicant's arguments with December 27, 2007 have been considered but are moot in 
view of the new ground(s) of rejection. 

Specification 

3. The specification is objected to as failing to provide proper antecedent basis for the 
claimed subject matter. See 37 CFR 1.75(d)(1) and MPEP § 608.01(o). Correction of the 
following is required: The term "computer readable storage medium" lacks antecedent basis in 
the specification. 

4. Claim Rejections - 35 USC § 101 

5. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or 
any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and 
requirements of this title. 

6. Claims 1-17 are rejected under 35 U.S.C. 101 because the claimed invention is directed 
to non- statutory subject matter. Claim 1 is directed to a computer program stored on a computer 
readable storage medium in which the "computer readable storage medium" is not defined in the 
specification. The context the medium was used in the claim would fairly suggest to one ordinary 
skill signals or other forms of propagation and transmission media, typewritten or handwritten 
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text on paper, or other items failing to be an appropriate manufacture under 35 USC 101 in the 
context of computer-related inventions. 

Claim Rejections - 35 USC § 103 
The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

1. Claims 1-3 and 6-10 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Nachenberg U.S. Patent Number 6,357,008 in view of Christodorescu "Detecting Malicous 
Patterns in Executables via Model Checking" University of Wisconsin, July 12, 2002, page 1-15. 
As per claim 1 : 

Nachenberg teaches a computer program for identifying malicious portions in a suspect 
computer program comprising: 

a preprocessor portion for receiving the suspect computer program and creating a 
logically equivalent standardized version of the suspect program; (col. 5, lines 27-39; col. 6, line 
53-col. 7, line 22) 

a library of standardized malicious code portions; (col. 7, line 23-col. 8, line 31; col. 9, 
lines 26-65) and 

a detector portion reviewing the standardized version against the library of malicious 
code portions to provide an output indicating when a malicious code portion is present in the 
suspect program, (col. 9, line 66-col. 10, line 10; col. 15, line 38-col. Col. 16, line 63) 
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Nachenberg does not explicitly disclose creating a logically equivalent standardized 
version f the suspect program without executing the suspect program. Christodorescu discloses 
creating a logically equivalent standardized version f the suspect program without executing the 
suspect program, (page 12-24) Therefore it would have been obvious to one ordinary skill in the 
art at the time the invention was made to modify the method disclosed by Nachenberg with 
Christodorescu in order to analyze the program semantic structure to check the presence of 
malicious properties, (page 12, Christodorescu) 
As per claim 2: 

The combination of Nachenberg and Christodorescu teaches all the subject matter as 
discussed above. In addition, Nachenberg further teaches wherein the standardized version 
identifies the execution order of instructions of the suspect program and wherein the detector 
portion reviews the instructions of the standardized version according to the execution order, 
(col. 2, line 38-col. 4, line 65; col. 7, line 23-col. 8, line 31; col. 9, line 26- col. 10, line 10; col. 
15, line 38-col. Col. 16, line 63) 
As per claim 3: 

The combination of Nachenberg and Christodorescu teaches all the subject matter as 
discussed above. In addition, Nachenberg teaches wherein the preprocessor identifies the 
execution order of the instructions by generation of a control-flow listing of the instructions, (col. 
2, line 38-col. 4, line 65; col. 9, lines 26-67) 
As per claim 6: 

The combination of Nachenberg and Christodorescu teaches all the subject matter as 
discussed above. In addition, Nachenberg further teaches wherein the standardized version 
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removes irrelevant portions of the suspect program, (col. 13, line 42-col. 15, line 37) 
As per claim 7: 

The combination of Nachenberg and Christodorescu teaches all the subject matter as 
discussed above. In addition, Nachenberg teaches wherein the preprocessor removes irrelevant 
portions by identifying irrelevant portions to the detector so that the detector ignores identified 
irrelevant portions when reviewing the standardized version, (col. 13, line 42-col. 15, line 37) 
As per claim 8: 

The combination of Nachenberg and Christodorescu teaches all the subject matter as 
discussed above. In addition, Nachenberg teaches wherein the irrelevant portions are one or more 
nop instructions, (col. 13, line 42-col. 15, line 37) 
As per claim 9: 

The combination of Nachenberg and Christodorescu teaches all the subject matter as 
discussed above. In addition, Nachenberg teaches wherein the standardized version uses 
uninterpreted variables, (col. 13, line 42-col. 15, line 37) 
As per claim 10: 

The combination of Nachenberg and Christodorescu teaches all the subject matter as 
discussed above. In addition, Nachenberg teaches wherein the suspect program is a binary 
executable and wherein the preprocessor receives the binary executable to generate a listing of 
instructions and data values, (col. 13, line 42-col. 15, line 37) 

2. Claims 4-5 and 11-17 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Nachenberg U.S. Patent Number 6,357,008 in view of Christodorescu "Detecting Malicous 
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Patterns in Executables via Model Checking" University of Wisconsin, July 12, 2002, page 1-29 
in view of Ho et al. (hereinafter Ho) U.S. Patent Number 7,188,369. 
As per claims 4 and 14: 

The combination of Nachenberg and Christodorescu teaches all the subject matter as 
discussed above. Both references do not explicitly disclose wherein the standardized version 
maps instructions of the suspect program to corresponding standard synonym instructions. Ho in 
analogous art, however, discloses wherein the standardized version maps instructions of the 
suspect program to corresponding standard synonym instructions, (col. 5, lines 25-col. 6, line 40) 
Therefore it would have been obvious to one ordinary skill in the art at the time the invention 
was made to modify the method disclosed by Nachenberg and Christodorescu with Ho in order 
to receive external instructions and for execution and perform their respective antivirus 
functionalities, (col. 6, lines 18-21; Ho) 
As per claims 5 and 1 5 : 

The combination of Nachenberg, Christodorescu and Ho teaches all the subject matter as 
discussed above. In addition, Ho further teaches wherein the standard synonym instructions are 
different in number from the instructions of the suspect program to which the synonym 
instructions map. (col. 5, lines 25-col. 6, line 40) 
As per claims 1 1 and 16: 

The combination of Nachenberg and Christodorescu teaches all the subject matter as 
discussed above. Both references do not explicitly disclose including a library of patterns 
matching to one or more instructions of the suspect program and wherein the preprocessor 
creates the standardized version by replacing instructions of the suspect program with matching 
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ones of the library of patterns and wherein the library of standardized malicious code portions 
are also collections of ones of the library of patterns, (col. 5, lines 25-col. 6, line 40) Therefore it 
would have been obvious to one ordinary skill in the art at the time the invention was made to 
modify the method disclosed by Nachenberg with Ho in order to receive external instructions 
and for execution and perform their respective antivirus functionalities, (col. 6, lines 18-21; Ho) 
As per claims 12 and 17: 

The combination of Nachenberg, Christodorescu and Ho teaches all the subject matter as 
discussed above. In addition, Ho further teaches wherein a pattern is at least one instruction 
logically replacing at least one different instruction in the suspect program, (col. 5, lines 25-col. 
6, line 40) 
As per claim 13: 

The combination of Nachenberg, Christodorescu and Ho teaches all the subject matter as 
discussed above. In addition, Ho further teaches wherein a pattern in a tag replacing at least one 
instruction logically having no substantive effect on the execution of the suspect program; a 
library of patterns is implemented as a look-up table matching instructions to the patterns, (col. 5, 
lines 25-col. 6, line 40) 

Conclusion 

Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 
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A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1 .136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to SHEWAYE GELAGAY whose telephone number is (571)272- 
4219. The examiner can normally be reached on 8:00 am to 5:30 pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Emmanuel Moise can be reached on 571-272-3865. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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